State of the Art Survey on Session Hijacking

Home , Session hijacking

Global Journal of Computer Science and Technology: E Network, Web & Security Volume 16 Issue 1 Version 1.0 Year 2016 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals Inc. (USA) Online ISSN: 0975-4172 | Print ISSN: 0975-4350 | DOI: 10.17406/GJCSTeVol16Is1Pg1

By Parves Kamal Saint Cloud State University, United States Abstract- With the advent of online banking more and more users are willing to make purchases online and doing so flourishes the online E-Business sector ever so more. Attackers are ever so vigilant and active now on web than ever to leverage the insecure web application and database that is out there on the internet to exploit. Today’s internet as we see are heavily integrated with sophisticated network whether it’s wired or wireless network. But the inherent compliancy to not integrating security while developing application leave it vulnerable to many attacks. One of the attack that has been prevalent now-a-days is: session hijacking. Key Terms: session-hijacking, CIA, spoof attack, CSS, SSL, captcha etc. GJCST-E Classification : C.2.1 C.2.4

StateoftheArtSurveyonSessionHijacking

Strictly as per the compliance and regulations of:

© 2016. Parves Kamal. This is a research/review paper, distributed under the terms of the Creative Commons Attribution- Noncommercial 3.0 Unported License http://creativecommons.org/licenses/by-nc/3.0/), permitting all non-commercial use, distribution, and reproduction inany medium, provided the original work is properly cited.

State of the Art Survey on Session Hijacking

Parves Kamal

Abstract- With the advent of online banking more and more successfully logged into the webserver creates a users are willing to make purchases online and doing so session between him and the server. In session flourishes the online E-Business sector ever so more. hijacking technique the attacker takes the control of the Attackers are ever so vigilant and active now on web than ever valid session from the user and replay packets to the to leverage the insecure web application and database that is server pretending to be the real user [Whitaker, A., & out there on the internet to exploit. Today’s internet as we see are heavily integrated with sophisticated network whether it’s Newman, D. (2006)]. The advantage of such attack is 201 wired or wireless network. But the inherent compliancy to not that the attacker do not have to break into the defense integrating security while developing application leave it of any firewalls, Intrusion detection system instead Year vulnerable to many attacks. One of the attack that has been he/she can just listen to the network and take over any prevalent now-a-days is: session hijacking. valid session. 1 Key Terms: session-hijacking, CIA, spoof attack, CSS, One of the reason behind successful rake over SSL, captcha etc. such session is because of the way the server and the user authenticate themselves initially. In many cases I. Introduction only the server authenticate itself to the client in secure here is various security threats that lurks around channel over HTTPS during the initial authentication the internet. Especially in this age of Internet phase and after the authentication the rest of the T everything is connected to internet. Online E- communication is done in clear plaintext. Commerce heavily rely on online transaction for example Session hijacking are of three types: bank provides users easy way of managing their • Active session Hijacking account online. As the sensitive information passes • Passive session Hijacking around the internet the confidentiality, integrity and • Hybrid Session Hijacking availability of such information become increasingly a) Active session hijacking ) hard to protect. One needs to develop capable E

In active session hijacking the attacker tries take ( defensive mechanism to keep all the threats that poses over active session between the user and the server by threats to the CIA (Confidentiality, Integrity, and either putting off the valid user from the connection and availability) of the information. Security threats like man- start making connection to the server masquerading as in-the-middle attack, sniffing, Denial-of-service attack, the valid user. The way attacker put off the valid user is ARP spoofing, session hijacking are some of the most by putting the active user out of the connection via prevalent attack performed daily by numerous attackers Denial of service attack. Before making the valid user around the world on the internet. out of the valid active session he/she captures data that A recent study performed by company Stake is sent back and forth between the user and the server (Owned by Symantec) shown that 31% of e-commerce by putting himself in between the connection between applications are vulnerable to session hijacking the connections and sniffing the data by packet [Morana, Marco]. In the paper below I will go details on capturing tool like Wireshark. In the figure below we see the session hijacking attack by giving the literature the three packets highlighted which is TCP three way review of this attack. Also I will simulate the attack handshake packet that are used to authenticate client to methodology to understand the mechanism better and the server during the initial authentication session as finally will provide the general protection strategies for shown below: mitigating such attack.

II. Literature Review

As we will be looking into the session hijacking Global Journal of Computer Science and Technology Volume XVI Issue I Version let’s get bit of background on what is session hijacking and how it works. Session hijacking or Session Sidejacking both means taking over unauthorized already created trusted session in order to steal or compromise user’s data. It’s a well -known man-in-the-middle attack. A valid user who

Author: BSc in Computer Security & Forensics MSC in Information Assurance Saint Cloud State University. e-mail: [email protected] © 2016 Global Journals Inc. (US) State of the Art Survey on Session Hijacking

201 Year

Fig. 1 : TCP-Three way Handshake packet Captureby Wireshark

) The active session can be better illustrated as the diagram shown below: E (

Global Journal of Computer Science and Technology Volume XVI Issue I Version

Fig. 2 : Active Session Hijacking AS we can see from the figure above the monitoring traffic between them. As it sees fit, it puts off attacker find himself in middle of the connection the valid user out of the session and takes over the between valid session of the user and the server and session.

©2016 Global Journals Inc. (US) State of the Art Survey on Session Hijacking b) Passive Session Hijacking packets captured from the user and sending it to the In passive session hijacking the attacker server. The disadvantage of such attack is that the captures all the packet between the user and the server attack is valid until there is valid session still in and it send out valid packet to the user masquerading continuation. If for some reason the server resets the as server and same way sending packet to server connection or user logs off from the server the session masquerading as user. It’s also referred as session- will be terminated. replay attack where the attacker basically replaying

201 Year

Fig. 3 : Passive Session Hijacking As shown in the figure above the attacker is network so unless the attacker can make the networking replaying packet between user and the server and it devices like switch and router to restart itself so it can modifies the packet as it goes from user to the server. capture the broadcast packet or by poising the CAM table of the switch it can place itself in the routing table c) Hybrid Session Hijacking and reroutes packet to itself for packet capturing. In hybrid session hijacking the attacker uses In application level the attacker hijack the both passive and active mode to complete the attack. )

session as well as tries to create new session with newly E

The attacker monitors the traffic pattern ( constructed session ID’s which can be stolen or between the user and the server and wait for the right guessed or crafted in a such way that it validates the session to take over. attacker with the target machine to take over existing This type of session hijacking relies on spoofing session or create new session [Sans.org,. (2015)]. and it can be further categorized to two types: The session ID’s can be found in place like:

• Blind Spoofing attack [Ollman, Gunter]

• Non-Blind spoofing attack • In the HTTP GET request that is made when clicking on the embedded link on the web page. d) Blind Spoofing attack • When any HTTP post command issued typically with In blind spoofing attack the attacker attacks the form that post data from client to the server. The target machine without tempering with the connection. It session ID is hidden inside the form in the hidden simply captures all the packets between the client and field. the server and it tries to guess the TCP packet • Also the cookies are used to hold session ID’s. sequence number so that it can authenticate with the server. The problem with this type of attack is it’s very f) Obtaining Session ID’s hard to guess the TCP sequence number as it can be There are number of ways anattacker can steal very random number which makes it harder to guess. session ID’S. Some of the ways are described below: Also its time consuming and the attacker might need to wait long time to get success with this type of the attack. g) Sniffing One of the way the hijacker can steal session Global Journal of Computer Science and Technology Volume XVI Issue I Version e) Non-Blind spoofing attack ID’S are by sniffing out the network traffic just like taking In non-blind spoofing attack the attacker can over TCP session. This way the attacker monitors traffic actually monitor the traffic between the user and the to see if there is any unencrypted packets traversing and target server. This way it’s easy for the attacker to guess by finding so it can redirect the traffic through a host that the next packet in case if it wants to guess the TCP it can monitor. Unencrypted traffic often has session ID sequence number of the next packet. It’s hard to inside and attacker can easily get the session ID and implement in today’s network as the administrator now use it to take over already established session or create turns off the broadcast packet transmission around the new session.

h) Brute Forcing We will be showing a session hijacking in a Another way the attacker can get the session ID simulated environment in Virtual Environment where the is either guessing the session ID’s or by attempting set up will be as follows: different session ID until it gets the right one. It can be • Victim Machine (Windows 7 VM) automatic attack where attacker sets up certain pattern • Attacking Machine (Kali Linux VM) and it looks through all the patterns until it finishes. This • Sniffed Router/Switch type of attack is particularly successful if the session ID The Tool we will be using for carrying out the attack are number generation is not Random number and there is as follows: high chances the attacker will guess the session ID • Kali Linux correct. • Ettercap i) Misdirected Trust • Hamster And Ferret Another form of attack where what attacker 201 The kali Linux tool will be used as attacking does is HTML injection or CSS (Cross Site Scripting) machine to sniff out the traffic from victim machine

Year attack to misdirect valid traffic to the attacker. This way it which is windows 7 VM and Router.

can steal the session ID as the data is sent back from Our simulated Attack looks like following below: 4 server to the host. This sort of attack relies heavily on the

vulnerability of the web application on which this attack

is performed since the success of the HTML injection

and the CSS attack depends on the defensive

mechanism of the web application it is attacking to.

j) Tools Used For Session Hijacking Some of the tools used to steal session Hijacking are: • Hunt

• T-Sight

• Juggernaut

• TTY Watcher

• ) Hamster and Ferret

E • Wireshark ( • Ethereal

III. Attack Methodology

Session attack methodology can be shown in following steps as shown below in the figure

Global Journal of Computer Science and Technology Volume XVI Issue I Version

Fig. 4 : Session Hijacking Steps

201 Year

Fig. 5 : Simulated Attack Diagram

We will be stealing HTTPS connection from The Router/ gateway Address: 192.168.1.1 VICTIM to get the USER Login and Password he/she put ) Local Loopback address: 127.0.0.1 E ( in. For our demonstration purposes the IP network b) Setting up Attacker Machine configuration is as follows: We need to at first set up Attacker machine Kali The attacker machine and the Victim machine is Linux the Men in the middle between the router and the set up in Virtual box and they were in private IP address victim machine Windows 7. subnet 192.168.1.0 We at first check our connectivity from Attacker machine to the Victim machine by pinging our victim a) IP Address machine as shown below: Attacker IP Address: 192.168.1.108 (KALI LINUX) Victim’s IP Address: 192.168.1.107 (WINDOWS 7) Global Journal of Computer Science and Technology Volume XVI Issue I Version

Fig. 6 : Checking Connectivity between Attacker and the Victim machine

Now in order to crack HTTPS connection we We do that by following command need to have SSL strip in the attacker machine. So we cp /etc/sysctl.conf /etc/sysctl.conf.bak type in the following command in our attacker machine vi /etc/sysctl.conf and Press Enter after each command above: We find thenet.ipv4.ip_forward=1 line and SSLstrip Download Code: uncomment it. Then we save the file CONTROL+X and cdcurl http://www.thoughtcrime.org/software/sslstrip/ssl save it. strip-0.9.tar.gz > sslstrip-0.9.tar.gz Now we need to set up IP tables Rule in the tarxzf sslstrip-0.9.tar.gz command prompt of the attacker machine as follows: cd sslstrip-0.9 iptables -t nat -A PREROUTING -p tcp --destination-port Now we need to forward the Traffic generated in 80 -j REDIRECT --to-port 8080 HTTP by forwarding the IP traffic by NAT forwarding in iptables -t nat–L 201 our Attacker Machine. We see from following figure the output of the iptables We do that by uncommenting the net.ipv4. Year we configured above ip_forward=1line inside the/etc/sysctl. conf file.

6 ) E (

Fig. 7: IP forwarding Now we need to set up SSLtrip to act as sniffing between victim and the attacker machine to strip any

Global Journal of Computer Science and Technology Volume XVI Issue I Version HTTP connections from the victim machine. On the attacker machine we type in the following command to install the ssstrip

Cd sslstrip-0.9

python sslstrip.py -p -l 8080 We need to keep the windows open as it will generates traffic as the victim machine browse to any webpages with its browser:

201 Year

7 Fig. 8 : sslstripsetup Now the sslstrip will generate its traffic captured monitor capture traffic from the victim’s machine as from the victim’s machine and save it to its logfile. So we shown below: need to monitor its logfile in order to capture cd information.

On the attacker machine we type in following cd sslstrip-0.9 command to open the log file and keep it open to tail -f sslstrip.log ) E (

Fig. 9 : Monitoring Logfile of captured data

Now we need to make the victim’s machine http traffic to pass by proxy server we do that my ARP poisoning attack.

We do that by Ettercap in kali Linux. We open it Global Journal of Computer Science and Technology Volume XVI Issue I Version and scan the host. From the host list we put our router192.168.1.1to target 1 and the victim’s machine 192.168.1.107to target 2 and start ARP poisoning as shown below:

201 Year

Fig.10 : ARP Poisoning Victim’s Machine Now let’s go to the attacker machine and open

) citybank online banking login page and we put ID as

( 123456 and password as =rivery227as shown below:

Global Journal of Computer Science and Technology Volume XVI Issue I Version

Fig. 11: Victim’s Online Banking Login page

If we see the attacker machines ssltriplog file we The victim did not see the login page of his will see it captured the ID and the password similar to online banking been strip down from HTTPS to HTTP as what was mentioned earlier. It successfully stole the shown above. HTTP session of the victim’s machine and strip of the HTTP to http as shown above in the figure above to steal login ID and the password. 201 Year

)

Fig.12 : Login ID and Password Stealing by HTTP Session Hijacking E (

Now the attacker is inside the session as long as the victim’s will be and do any further attack as he/she might find it useful.

IV. Survey Analysis

A survey was done about the awareness of the Session hijacking. Between researchers, common users and the administrator. As expected the common users have very less knowledge about the session hijacking followed by the Administrator. Surprisingly the administrator though they knew about the session hijacking had very little knowledge on how to prevent it. For successful mitigation of session hijacking one needs to have awareness as well as secure operation policies implemented in the organizations. The graph below shows the session hijacking awareness between common user, administrator and the researchers. Global Journal of Computer Science and Technology Volume XVI Issue I Version

201 Year

Fig. 13 : Session Hijacking Awareness [Louis, J. (2011)]

V. Counter Measure to Session he/she cannot replay the packet as the data will be encrypted [Webopedia]. Hijacking

c) HTTPS Connection Only

) There are number of ways session hijacking can It is very important to use HTTPS connection E be prevented. The countermeasure against session

( hijacking discussed below provided are based on while login to your webserver, or any E-commerce site recommended session hijacking techniques [CEHv8. like Online banking, shopping sites as it encrypts the Ethical Hacking and Counter Measures].We will be data with SSL as mentioned earlier to encrypt the dividing the session hijacking in two layer of OSI layer authentication data back and forth. Attacker even if is as: successful to capture data will not be able to make any sense out of the data. • Network layer

• Application layer d) Implementing IPSec Protocol in Network Layer

VI. Network Layer IPSec protocol ensures the secure exchange of the IP packet and it provides two protection service. In a) Use of SSL at all time transport mode it encrypts the data of the packet while

Use SSL connection whenever it’s possible. in tunnel mode it encrypts the data as well as the header SSL (Secure Socket layer) Provide end to end of the packet making the attacker hard to guess where the packet is going and coming from. encryption which make it really hard for attacker to look into any data passing over this encrypted SSL channels e) IDS/IPS Implementation uses public key and symmetric key which are of 128/256

bits. Since it provides the integrity as well as the Implementing IDS/IPS along with firewall with confidentiality sniffing and loss of information is proper rules can detect IP spoofing, packet sniffing protected while using SSL connection. which is the key to the session hijacking at the network

Global Journal of Computer Science and Technology Volume XVI Issue I Version layer. For example the rule can be set up as ignoring b) Use SSH for Remote Connection: source routed packets or even blocking the source- Often the remote connection to network devices routing completely. ARP poisoning as shown above in or web server is required for the administrator for remote the simulated attack can be prevented by implementing administration. SSH can protect the network as it guards static ARP table or by monitoring ARP table with tool like against the IP spoofing as well as the data is encrypted. ‘’arpwatch’’. Other techniques like ICMP redirection An attacker if has access to the target network can force disabling can make it even harder for attacker to the connected SSH user out of the connection but perform the MITM (Men in the Middle Attack).

©2016 Global Journals Inc. (US) State of the Art Survey on Session Hijacking f) Application Layer • Generate ID after the authentication - Often before Application layer deals with attacks on Web as the authentication is performed the session ID is our attack involved in URL session ID hijacking we will generated and shared that way the session ID is see below the countermeasure that can prevent such exposed to the attacker and they can carry out attacks. session fixation attack. So for security reason the session ID should be generated after the g) Strong Session ID Session ID is key to authenticate, create, re- authentication is done. establish connection with server. Session ID key must • Token Regeneration- Once in a while if the session be strong nor predictable and it needs to be truly token is regenerated it becomes hard for the hacker random. The session ID management system both in to remain in valid session as after certain time the the client side and the server side needs to implement session token becomes useless. Webserver can be strong session management system. Following are implemented in a way to regenerate session tokens some of the steps that can be taken to generate strong giving the attacker less time to be on a session 201 Session IDs [Martin Eizner, and Roy McNamara “A Guide to Year Building Secure Web Applications].

• Making the Session ID Random – As mentioned

11 earlier the more random the session ID is more it’s • Time-Out- Time out should be implemented after harder for attacker to guess or brute force the certain period of inactive time period so that the session ID. For making robust random session ID attacker cannot exploit any idle session. one can put the session number generation to a • Proper Input Validation Checking – Proper form input statistical analysis test. validation checking needs to be impleme nted from • Making The Cookie or the session ID longer – The the server side. Often the Cross site scripting, HTML longer the session ID is harder it will be to brute injection vulnerability allows the attacker to take over force against. It will be very difficult to brute forcing the web application and thus exploiting the session. against session ID of 50 characters in given time. • Detecting Session ID Brute Forcing attacks - • Use Server generated Session IDs – Often the client OWASP suggest using booby traps session tokens side use its own session ID’s which is less to detect any brute forcing on session ID token. vulnerable to session hijacking. [Search Software Quality. (2015)]. It’s a token which )

• Encrypt The Session IDs – one can further encrypt is attached to the actual session token to detect any E

( the session Id to protect it from tempering. The brute force on tokens. session Id that is passed inside the encrypted • Captcha Prevention Technique: -CAPTCHA means channel SSL may look different from the one that is passed inside the unencrypted channel. One can Completely Automated Public Turing test to tell write script to encrypteach session or can encrypt Computers and Humans Apart” [AriyanZarei, the whole channel by SSL. One such script for (2014)]. It will help to enforce only one session per encrypting session are as follow: one single user and also will protect from any automated brute forcing attacking as CAPTCHA Session Encryption Code: [D. (2015). Do you need to requires to put input based on some visual encrypt session data?] representation of images which requires human session_start(); input keeping bot at bay.

• Awareness and Training: It’s the awareness which if (isset($_SESSION['fingerprint'])) often are the most neglected aspect and until the users are properly trained or at least be aware of if ($_SESSION['fingerprint'] != how to safeguarding against session hijacking md5($_SERVER['HTTP_USER_AGENT'].'SECRETSALT')) attacks it’s very difficult attack to guard against. exit; // prompt for password User should be aware of why using encrypted else connection always, when to use proxy, VPN $_SESSION['fingerprint'] = connection or to have strong password set up for Global Journal of Computer Science and Technology Volume XVI Issue I Version md5($_SERVER['HTTP_USER_AGENT'].'SECRETSALT'); their online account etc. All these will add up to the

better safe environment against session hijacking. • Forced Log Out - There should be a mechanism to log out user and prompt for re-authentication for VII. Observations & Recommen Dations new connection that way the attacker cannot use the same session ID to take control of the session. In this paper the simulated attack on CITY bank So every new connection there should be new session hijacking was analyzed from literature and authentication and log out of the current practical point of view and also the countermeasure to authenticated user.

s uch attack was explored in the end. The actual attack http://uobrep.openrepository.com/uobrep/handle/10 though did not yield in catastrophic effects but the 547/211810# researcher was startled to see how attacker was able to 6. CEHv8. Ethical Hacking and Counter Measures. easily get into the victim’s session just by modifying “Session Hijacking Module 11” [Online]. Available: Cookie or session ID changes. Such attack can further https://www.wiziq.com/tutorial/714466 -CEHv8-Mod exploits vulnerable system inside the bank’s ule-11-SessionHijacking. [Accessed: 10-Oct-2014]. infrastructure which can enable the further severe 7. Webopedia: Online Computer Dictionary for exploitation to be successful. The hacker can get the Computer and Internet Terms and Definitions. 2004. users data and email ID. Nonetheless it’s been 20 Dec. 2004. http://www.webopedi a.com/ projected that the user data loss will prosper further 8. D. (2015). Do you need to encrypt session data?. scamming and fishing attacks. The general Security.stackexchange.com. Retrieved 1 November recommendation to prevent such further attack 2015, from http://security.stackexchange.com/ 201 encrypted and longer session ID with time out and questions/18880/do-you-need-to-encrypt-session- effective IDS/IPS with Brute forcing detection data Year mechanism to deter any attacker in carrying out such 9. Curphey, Mark, David Endler, William Hau, Steve

attacks in future. Taylor, Tim Smith, Alex Russell, Gene McKenna, 12 Richard Parke, Kevin McLaughlin, Nigel Tranter, VIII. Conclusion Amit Klien, Dennis Groves, Izhar By-Gad, Sverre In this short survey paper we tried to have look Huseby, Martin Eizner, Martin Eizner, and Roy at the session hijacking attack and its implementation McNamara “A Guide to Building Secure Web with demo Attack. The attack carried out by the attacker Applications.” The Open Web Application Security though was not known in terms of details that much but Project. 11 Sept. 2002. 20 Dec. 2004. the security expert stated it was due to session hijacking 10. Search Software Quality,. (2015). OWASP Guide to attack. Session hijacking has been on the rise on recent Building Secure Web Applications and Web past mainly due to the users/developers/administrators Services, Chapter 11: Session Management. lack of awareness and poor session management of Retrieved 1 November 2015, from http://sear some of the web application and servers on the internet. chsoftwarequality.techtarget.com/news/1156684/OA By putting the effective countermeasure mentioned in SP-Guide-to-Building-Secure-Web-Applications-nd- ) Web-Services-Chapter-11-Session-Managem ent. E the countermeasure section of this paper one cannot ( fully prevent such attacks but can at least make attacker 11. Ariyan Zarei, (2014) “IMPROVE CAPTCHA’S to come harder and use some other tricks rather than SECURITY USING GAUSSIAN BLUR FILTER,” the usual attack performed in this paper. Also it’s [Online]. Available: http://arxiv.org/ftp/arxiv/papers recommended to test the defensive mechanism that are /1410/14 10.4441.pdf [Accessed: 15-Dec-2014] in place and also monitor to deter, prevent and counter Authors Biography attack on such attacks if ever take place. Parves Kamal: Department of Information Systems St References Références Referencias Cloud State University. e-mail: [email protected] 1. Morana, Marco. “Make It and Break It: Preventing

Session Hijacking And Cookie Manipulation.”

Secure Enterprise. 23 Nov. 2004. 20 Dec. 2004.

http://nwc.securitypipeline.com/howto/53701241 2. Whitaker, A., & Newman, D. (2006). Penetration testing and network defense. Indianapolis, IN: Cisco Press. 3. Sans.org,. (2015). Retrieved 30 October 2015, from https://www.sans.org/reading-room/whitepapers/ ecommerce/overview-session-hijacking-network-

Global Journal of Computer Science and Technology Volume XVI Issue I Version application-levels-1565 4. Ollman, Gunter. “Web Session Management: Best Practices in Managing HTTP Based Client Sessions.” Technical Info: Making Sense of Security. Accessed: 20 Dec. 2004. http://www. technicalinfo.net/papers/WebBasedSessionManage ment.html 5. Louis, J. (2011). Detection of session hijacking. University Of Bedfordshire. Retrieved from